• No se han encontrado resultados

Appendix

In document Three Essays in Macroeconomics and Finance (página 105-119)

9.1. About the Security Subsystem

The security subsystem provides the infrastructure for all security functionality in the JBoss Enterprise Application Platform. Most configuration elements rarely need to be changed. The only configuration element which may need to be changed is whether to use deep-copy-subject-mode. In addition, you can configure system-wide security properties. Most of the configuration relates to security domains.

Deep Copy Mode

If deep copy subject mode is disabled (the default), copying a security data structure makes a reference to the original, rather than copying the entire data structure. This behavior is more efficient, but is prone to data corruption if multiple threads with the same identity clear the subject by means of a flush or logout operation.

Deep copy subject mode causes a complete copy of the data structure and all its associated data to be made, as long as they are marked cloneable. This is more thread-safe, but less efficient.

System-Wide Security Properties

You can set system-wide security properties, which are applied to java.security.Security class.

A security domain is a set of Java Authentication and Authorization Service (JAAS) declarative security configurations which one or more applications use to control authentication, authorization, auditing, and mapping. Three security domains are included by default: jboss-ejb-policy, jboss-web-policy, and other. The Management API, Management Console, and Management CLI use the other security domain. You can create as many security domains as you need to accomodate the needs of your applications.

Report a bug

9.2. About the Structure of the Security Subsystem

The security subsystem is configured in the managed domain or standalone configuration file. Most of the configuration elements can be configured using the web-based management console or the console-based management CLI. The following is the XML representing an example security subsystem.

Example 9.1. Example Security Subsystsem Configuration

<security-domains>

<security-domain name="other" cache-type="default">

<authentication>

<security-domain name="jboss-web-policy" cache-type="default">

<authorization>

<policy-module code="Delegating" flag="required"/>

</authorization>

</security-domain>

<security-domain name="jboss-ejb-policy" cache-type="default">

<authorization>

<policy-module code="Delegating" flag="required"/>

</authorization>

</security-domain>

</security-domains>

<security-properties>

...

</security-properties>

</subsystem>

The <security-management>, <subject-factory>, and <security-properties> elements are empty in the default configuration.

Each top-level element within the security subsystem contains information about a different aspect of the security configuration.

<security-management>

This section overrides high-level behaviors of the security subsystem. Each setting is optional.

It is unusual to change any of these settings except for deep copy subject mode.

Option Description

deep-copy-subject-mode Specifies whether to copy or link to security tokens, for additional thread safety.

authentication-manager-class-name Specifies an alternate AuthenticationManager implementation class name to use.

default-callback-handler-class-name Specifies a global class name for the CallbackHandler implementation to be used with login modules.

authorization-manager-class-name Specifies an alternate AuthorizationManager implementation class name to use.

audit-manager-class-name Specifies an alternate AuditManager implementation class name to use.

identity-trust-manager-class-name Specifies an alternate IdentityTrustManager implementation class name to use.

mapping-manager-class-name Specifies the MappingManager

implementation class name to use.

<subject-factory>

The subject factory controls creation of subject instances. It may use the authentication manager to verify the caller. The main use of the subject factory is for JCA components to establish a subject.It is unusual to need to modify the subject factory.

<security-domains>

A container element which holds multiple security domains. A security domain may contain information about authentication, authorization, mapping, and auditing modules, as well as JASPI authentication and JSSE configuration. Your application would specify a security domain to manage its security information.

<security-properties>

Contains names and values of properties which are set on the java.security.Security class.

Report a bug

9.3. Configure the Security Subsystem

The top-level configuration of the security subsystem includes one attribute, deep-copy-subject-m ode which includes child eledeep-copy-subject-ments security-dodeep-copy-subject-m ains and security-properties. You can configure the security subsystem using the Management CLI or web-based Management Console.

Deep Copy Mode

If deep copy subject mode is disabled (the default), copying a security data structure makes a reference to the original, rather than copying the entire data structure. This behavior is more efficient, but is prone to data corruption if multiple threads with the same identity clear the subject by means of a flush or logout operation.

Deep copy subject mode causes a complete copy of the data structure and all its associated data to be made, as long as they are marked cloneable. This is more thread-safe, but less efficient.

System-Wide Security Properties

You can set system-wide security properties, which are applied to class java.security.Security class.

Security Domains

A security domain is a set of Java Authentication and Authorization Service (JAAS) declarative security configurations which one or more applications use to control authentication, authorization, security auditing, and security mapping. Three security domains are included by default: jboss-ejb-policy, jboss-web-policy, and other. The Management API, Management Console, and Management CLI use the other security domain. You can create as many security domains as you need to accomodate the needs of your applications.

Report a bug

9.4. About Deep Copy Subject Mode

If deep copy subject mode is disabled (the default), copying a security data structure makes a reference to the original, rather than copying the entire data structure. This behavior is more efficient, but is prone to data corruption if multiple threads with the same identity clear the subject by means of a flush or logout operation.

Deep copy subject mode causes a complete copy of the data structure and all its associated data to be made, as long as they are marked cloneable. This is more thread-safe, but less efficient.

Deep copy subject mode is configured as part of the security subsystem.

Report a bug

9.5. Enable Deep Copy Subject Mode

You can enable deep copy security mode from the web-based management console or the management CLI.

Procedure 9.1. Enable Deep Copy Security Mode from the Management Console

In document Three Essays in Macroeconomics and Finance (página 105-119)
Descargar ahora "Three Essays in Macroe..."

Outline

Documento similar